Sorry for the lengthy message and cross-posting to ipfilter list. Please
bear with me :-)
OK, let me re-phrase my situation in more details...
Consider the following (I omit routers in between):
Internet Internet
| |
| |
ISP1 ISP2
| |
| |
FW1 FW2
| |
| |
---+----+------+------+-----+---
| | |
| | |
WWW DNS SMTP
Let's assume:
C Client's IP address
FW1-E FW1's external IP address
FW1-I FW1's internal IP address (private)
FW2-E FW2's external IP address
FW2-I FW2's internal IP address (private)
W Web server's IP address (private)
Both FWs are using ipfilter with rdr rules.
WWW's default GW is set to FW1-I.
Let's look at the traditional way (without ISP2 and FW2):
1. When client sends a request to the web server, it goes like C ->
FW1-E
2. When packet hits FW1, FW1 does rdr, then after the firewall the
packet becomes C -> W.
3. Then the web server sends back a reply, it goes like W -> C.
4. Because there's no specific route to C, the packet goes to the
defautl GW which is FW1-I.
5. When FW1 gets the packet, it checks against its nat table and realize
that this is the result of a previous connection from C, then FW1
rewrite the packet header so it becomes FW1-E -> C when the packet
leaves FW1.
Now, I want to add a redundant link to the Internet (ISP2 and FW2). So I
advertise www.mycompany.com as FW1-E and FW2-E in a round robin manner
in my DNS so half of the client will hit FW2-E when they send the
request to www.mycompany.com. Here is what happens when someone hits
FW2-E:
1. C -> FW2-E
2. FW2 doing rdr => C -> W
3. W -> C
4. it goes to FW1 because that is the default GW
5. *FW1 rewrite the packet to FW1-E -> C
6. C is confused: I sent C -> FW2-E but why I get FW1-E -> C ???
[*] I'm not sure whether FW1 will rewrite the packet because it didn't
see SYN, FW2 saw it. NAT implies state, right?
OK, we can add more than one default route on the web server, but they
must be of different metrics and they are tried from low to high (am I
right on this?). So as long as both our FWs are up, the packet will go
to the lowest metric, which is FW1-I.
The solution suggested by Ben Nagy is to add another NAT to FW2 to
rewrite C's source IP as well. Assuming we add the other NAT box _after_
FW2 (I couldn't add it in front of FW2, it didn't work out):
Internet--FW2--NAT--WWW
Assume:
NAT-F NAT box's FW2 side IP
NAT-I NAT box's WWW side IP
on FW2, I do "route add WWW NAT-F"
on NAT, I do "route add default FW2-I"
So the whole thing becomes:
1. C -> FW2-E
2. FW2 doing rdr: C -> W then passes the packet to NAT box
3. NAT box doing NAT: C -> W becomes NAT-I -> W
4. W -> NAT-I
5. because WWW knows where NAT-I is, so the packet gets back to NAT
6. NAT translate back: W -> C
7. FW2 translate back: FW2-E -> C
So in theory, this should work, though I've never tried it in the real
world. The problem with this setup is that we have to add another NAT
box in between, thus adds complexity and one more point of failure. And
the NAT box is only doing one thing - address rewriting, which is a
waste of resource.
What I like to see is whether we can combine FW2 and NAT:
1. C -> FW2-E
2. FW2 doing rdr *and map*: C -> FW2-E becomes FW2-I -> W
3. W -> FW2-I
4. FW2 rewrite back: W -> FW2-I becomes FW2-E -> C
Note that step 2 above is not bimap. I think Darren introduced new
syntax in 3.4.x to allow:
rdr ifX from ip1/m1 to ip2/m2 port = xx -> ip3 port xx
If it can be writen as:
rdr ifX from ip1/m1 to ip2/m2 port = xx -> from ip3/m3 to ip4/m4 port xx
that would be great!!! But that is not supported, is it???
Why we want to do this? Because we need a redundant link to the Internet
and don't have the budget to go with BGP peering.
Sorry again for the long message, hope you guys have the patience to
read through the whole thing.
TIA,
Dennis
PS. Mouss suggested to use an ALG. But we are kind of reluctant to go
this way because:
1. We have to open up ports on the firewall.
2. For socks proxy you need socksified client, right? For web cache
proxy like squid it should be OK for web access but what about other
services like DNS and SMTP?
----- Original Message -----
From: "Dennis Dai" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 23, 2001 5:27 PM
Subject: Dual firewall question (revisited)
> Last October there was a thead talking about dual firewall
> configuration:
>
>
http://www.geocrawler.com/mail/thread.php3?subject=Dual+firewall+questio
n&li
st=90
>
> (link may be wrapped)
>
> The question was how you are going to serve web pages when you have 2
> ISPs and thus 2 firewalls (web server is behind the 2 firewalls). So
> far, the solutions are:
>
> 1. use ALG on firewall (from mouss)
> 2. put another NAT box in front of the firewall to translate the
source
> IP from the client (from Ben)
>
> My questions are:
>
> - For the first solution, will the ALG breaks SSL server and client
> authentication (via server and client certs)? If not, what ALG is
> suitable for this kind of task? SOCKS4/5, FWTK come into mind.
>
> - For the second solution, is it possible to combine the NAT and
> firewall box into one (assuming I'm going to use ipfilter in both
> boxes)? My analysis is not likely (without some serious hacking into
the
> code, which I'm not really good at). :-(
>
>
> Thanks in advance for any input.
>
> Dennis
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
